CVE-2026-41144

LowUpdated

Published: 22 April 2026

Published

22 April 2026

Modified

21 May 2026

KEV Added

—

Patch

—

CVSS Score 0.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

EPSS Score 0.0014 33.0th percentile

Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41144 is a uncategorised-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Nasa Fprime. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1543 Create or Modify System Process Persistence

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

attack.mitre.org →

Why these techniques?

Remote arbitrary file write via crafted DataPacket enables exploitation of the public-facing file uplink service (T1190) and direct modification of system processes/binaries for RCE (T1543).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check byteOffset + dataSize > fileSize uses U32 addition that wraps around on overflow. An attacker-crafted…

DataPacket with byteOffset=0xFFFFFF9C and dataSize=100 overflows to 0, bypassing the check entirely. The subsequent file write proceeds at the original ~4GB offset. Additionally, Svc/FileUplink/File.cpp:20-31 performs no sanitization on the destination file path. Combined, these allow writing arbitrary data to any file at any offset. The impact is arbitrary file write leading to remote code execution on embedded targets. Note that this is a logic bug. ASAN does not detect it because all memory accesses are within valid buffers — the corruption occurs in file I/O. Version 4.2.0 contains a patch. No known workarounds are available.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-190 CWE-787

Affected Products

nasa

fprime

4.1.1

EU & UK References

🇪🇺 ENISA EUVD: EUVD-2026-24577

References

https://github.com/nasa/fprime/commit/cacdd555456bd83ab395b521d56c0330470ea798
Patch · security-advisories@github.com
https://github.com/nasa/fprime/security/advisories/GHSA-qmvv-rxh4-ccqh
Patch, Vendor Advisory · security-advisories@github.com